Per [RFC2251] and [RFC2252], Active Directory exposes a subSchema object that is pointed to by the subschemaSubentry attribute on the rootDSE. In accord with [RFC2251] section 3.2.2, this subSchema object contains the required cn, objectClass, objectClasses, and attributeTypes attributes. Additionally, it contains the dITContentRules attribute. It does not contain the matchingRules, matchingRuleUse, dITStructureRules, nameForms, or ldapSyntaxes attributes. It contains the modifyTimeStamp attribute but not the createTimeStamp attribute. The subSchema object does not support the createTimeStamp attribute even though its object class derives from top, which contains the createTimeStamp attribute as part of systemMayContain. In contrast to [RFC2252] section 7.2, in Active Directory the subSchema class is defined to be structural rather than auxiliary.
The meaning of the attributeTypes, objectClasses, and dITContentRules attributes are as described in those RFCs. However, the values stored in these attributes use only a subset of the AttributeTypeDescription, ObjectClassDescription, and DITContentRuleDescription grammars described in [RFC2252]. The following grammars are used by Active Directory. Other than the removal of certain elements, these grammars are identical to those of [RFC2252].
AttributeTypeDescription = "(" whsp numericoid whsp ; attributeID [ "NAME" qdescrs ] ; lDAPDisplayName [ "SYNTAX" whsp noidlen whsp ] ; see RFC 2252 section 4.3 [ "SINGLE-VALUE" whsp ] ; default multi-valued [ "NO-USER-MODIFICATION" whsp ] ; default user modifiable whsp ")" ObjectClassDescription = "(" whsp numericoid whsp ; governsID [ "NAME" qdescrs ] ; lDAPDisplayName [ "SUP" oids ] ; governsIDs of superior object classes [ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ] ; default structural [ "MUST" oids ] ; attributeIDs of required attributes [ "MAY" oids ] ; attributeIDs of optional attributes whsp ")" DITContentRuleDescription = "(" numericoid ; governsID of structural object class [ "NAME" qdescrs ] ; lDAPDisplayName [ "AUX" oids ] ; governsIDs of auxiliary classes [ "MUST" oids ] ; attributeIDs of required attributes [ "MAY" oids ] ; attributeIDs of optional attributes ")"
Active Directory supports additional SYNTAX values not defined in [RFC2252]. The following table lists the SYNTAX values returned for each LDAP syntax name. See section 188.8.131.52.2 for more information on syntaxes.
LDAP syntax name
In addition to the preceding attributes, Active Directory contains two additional subSchema attributes, named extendedClassInfo and extendedAttributeInfo. These return additional data about the classes and attributes in a format similar to objectClasses and attributeTypes, respectively. The grammar used for extendedClassInfo is as follows.
ObjectClassDescriptionExtended = "(" whsp numericoid whsp ; governsID [ "NAME" qdescrs ] ; lDAPDisplayName [ "CLASS-GUID" whsp guid ] ; schemaIDGUID whsp ")"
The NAME field is as in the ObjectClassDescription grammar. The CLASS-GUID field contains the value of the class's schemaIDGUID attribute. That value, which is a GUID, is expressed not in the dashed-string GUID format of [RFC4122] section 3 but rather as the hexadecimal representation of the binary format of the GUID. For example, the GUID whose dashed-string representation is "3fdfee4f-47f4-11d1-a9c3-0000f80367c1" would be expressed as "4feedf3ff447d111a9c30000f80367c1" in the CLASS-GUID field.
The grammar for extendedAttributeInfo is as follows.
AttributeTypeDescriptionExtended = "(" whsp numericoid whsp ; attributeID [ "NAME" qdescrs ] ; lDAPDisplayName [ "RANGE-LOWER" whsp numericstring ] ; rangeLower [ "RANGE-UPPER" whsp numericstring ] ; rangeUpper [ "PROPERTY-GUID" whsp guid ] ; schemaIDGUID [ "PROPERTY-SET-GUID" whsp guid ] ; attributeSecurityGUID [ "INDEXED" whsp ] ; fATTINDEX in searchFlags [ "SYSTEM-ONLY" whsp ] ; systemOnly whsp ")"
The NAME field is as in the AttributeTypeDescription grammar. The RANGE-LOWER and RANGE-UPPER fields are only present if the attribute's attributeSchema contains values for the rangeLower and rangeUpper attributes, respectively. If present, those fields contain the values of those attributes. The PROPERTY-GUID field contains the value of the attribute's schemaIDGUID. If the attribute has an attributeSecurityGUID attribute, the PROPERTY-SET-GUID field contains the value of that attribute; otherwise, it contains the value of the NULL GUID. For both PROPERTY-GUID and PROPERTY-SET-GUID, the GUID is represented in the same form as that CLASS-GUID from the ObjectClassDescriptionExtended grammar. If the fATTINDEX bit of the attribute's searchFlags is set, the INDEXED field is present. If the attribute's systemOnly attribute is true, the SYSTEM-ONLY field is present.
The attributeTypes, objectClasses, dITContentRules, extendedClassInfo, and extendedAttributeInfo attributes on the subSchema object are read-only. They permit applications to discover the schema on the DC, but they are not the mechanism for changing the schema on the DC. DCs change their schema in response to the addition or modification of classSchema and attributeSchema objects in the schema NC. These objects also contain attributes that supply additional information about the schema that is not present in the attributes of the subSchema object, such as the systemFlags attribute, which specifies additional properties of an attribute (for example, whether it is a constructed attribute). The attributeSchema and classSchema objects and their associated attributes are specified in section 184.108.40.206.
If the forest functional level is DS_BEHAVIOR_WIN2003 or greater, the attributeTypes, dITContentRules, extendedAttributeInfo, extendedClassInfo, and objectClasses attributes on the subSchema object do not contain defunct attributes or classes, only active attributes or classes.